anefficientandeffectiveapproachforfloodingattack...

Research ArticleAn Efficient and Effective Approach for Flooding AttackDetection in Optical Burst Switching Networks

Bandar Almaslukh

Department of Computer Science College of Computer Engineering and Sciences Prince Sattam Bin Abdulaziz UniversityAl-Kharj 11942 Saudi Arabia

Correspondence should be addressed to Bandar Almaslukh balmaslukhpsauedusa

Received 27 March 2020 Revised 8 July 2020 Accepted 11 July 2020 Published 5 August 2020

Academic Editor Muhammad Faisal Amjad

Copyright copy 2020 Bandar Almaslukh(is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Optical burst switching (OBS) networks are frequently compromised by attackers who can flood the networks with burst headerpackets (BHPs) causing a denial of service (DoS) attack also known as a BHP flooding attack Nowadays a set of machinelearning (ML) methods have been embedded into OBS core switches to detect these BHP flooding attacks However due to theredundant features of BHP data and the limited capability of OBS core switches the existing technology still requires majorimprovements to work effectively and efficiently In this paper an efficient and effective ML-based security approach is proposedfor detecting BHP flooding attacks (e proposed approach consists of a feature selection phase and a classification phase (efeature selection phase uses the information gain (IG) method to select the most important features enhancing the efficiency ofdetection For the classification phase a decision tree (DT) classifier is used to build the model based on the selected features ofBHPs reducing the overfitting problem and improving the accuracy of detection A set of experiments are conducted on a publicdataset of OBS networks using 10-fold cross-validation and holdout techniques Experimental results show that the proposedapproach achieved the highest possible classification accuracy of 100 by using only three features

1 Introduction

Optical burst switching (OBS) in networks has become animportant dynamic sub-wavelength switching techniqueand a solution for developing the new type of Internetbackbone infrastructure [1] (e OBS network mainlyconsists of three types of nodes namely core nodes ingressand egress(e core nodes represent the intermediate nodeswhich are designed to reduce the processing and buffering ofthe optical data burst using a control data packet withspecific information namely burst header packets (BHPs)[2]

In a network with burst traffic OBS plays an essentialrole for packet switching with a higher level of necessarydetails than other existing networksrsquo switching techniquesHowever this type of switching is still suffering from severalchallenges such as security and quality of service (QoS) dueto BHP flooding attacks (e function of BHP in OBS is toreserve the unused channel for the arrival of a data burst

(DB) (is function can be exploited by attackers to sendfake BHPs without DB acknowledgment Such fake BHPscan affect the network and reduce its performance throughdecreasing bandwidth utilization and increasing data lossleading to a denial of service (DoS) attack [3] which is one ofthe most crucial security threats to networks

Several methods have been proposed to tackle DoS andBHP flooding attacks on OBS networks in the literature andhave achieved satisfactory results [4ndash6] However due to thelimited capability of OBS core switches developing alightweight method that can attain high accuracy with asmall number of features is still a challenging issue fordevelopers and researchers

In this research an effective and efficient approach isproposed for securing the OBS networks (us the mainobjective of the work is to develop a lightweight ML modelfor detecting BHP flooding attacks based on the informationgain (IG) feature selection method and a decision tree (DT)classifier To achieve this objective two key research

HindawiSecurity and Communication NetworksVolume 2020 Article ID 8840058 11 pageshttpsdoiorg10115520208840058

questions are formulated to answer throughout this study(e first research question is does the feature selectionmethod improve the effectiveness of the DTmodel to detectthe BHP flooding attacks (e second research question isdoes the feature selection method improve the efficiency ofthe DT model for detecting the BHP flooding attacks Ac-tually the lightweight property of the model comes from thefact that only a small number of features are used to build theclassifier (e model will be evaluated using a public OBSdataset based on a set of performance metrics such as ac-curacy precision recall and F-measure

(e remainder of the research is organized as follows

(i) In Section 2 related works are introduced to givedetails about the proposed approaches and methodsof DoS attack on different networks

(ii) Section 3 presents the proposed approach archi-tecture for detecting the BHP flooding attacks onOBS networks

(iii) Section 4 explains the experimental setup and re-sults in more detail

(iv) Section 5 presents the conclusion of the study

2 Related Works

Nowadays machine learning (ML) methods have been usedin many intrusion detection systems (IDSs) to detect severaltypes of network attacks However feature selectionmethods are also used to select the significant features ofnetwork traffic without reducing the performance of theIDSs [7] Feature selection is the process of selecting the bestset of features that can be most effective for classificationtasks [8 9] (e high number of features may decrease theperformance and accuracy of many classification problems[10 11]

In the field of optimization feature selection methodsare classified in three main approaches embedded wrapperand filter methods [12] For the filter methods there are twomajor types of evaluation subset feature evaluation andgroups of individual feature evaluation In the groups ofindividual feature evaluation heuristic or metaheuristicfilter methods or even the hybrid of them is utilized forranking the features and then the best of them is selectedbased on some thresholds [11 13] In contrast the subsetfeature evaluation methods find the subset of candidatefeatures using a certain measure or a certain strategy (eycompare the previous best subset with the current subset forfinding the candidate subset of features In the groups ofindividual feature evaluation methods the redundant fea-tures are kept in the final subset of selected featuresaccording to their relevance but the group of subset featureevaluation methods removes the features with similar ranksIn general the filter methods are considered as classifier-independent approaches [13] (e wrapper methods areclassifier-dependent approaches that take each time asubset of features from the total features and calculate theaccuracy of classifiers to find the best subset (ereforethey are time consuming compared with filter methods

[14] (e embedded methods combine wrapper and filtermethods [15] In this study a filter-based method is usedfor feature selection

In the literature review of intrusion detection a set ofMLand deep learning (DL) methods have been widely used todetect different types of attacks in several works [16ndash20]Meanwhile a set of related works have also been proposedfor detecting BHP flooding attacks using different MLmethods like the decision tree (DT) method in [21] (iswork evaluated the performance of the adopted methodusing different metrics and reported a 93 accuracy rate inclassifying the classes of BHP flooding attack Liao et al [22]introduced a classification approach to classify the accesspatterns of various users using sparse vector decomposition(SVD) and rhythm matching methods (is study demon-strates that the approach is able to distinguish between theintruders and the legal users in the application layer

Xiao et al [23] offered an effective scheme for detecting adistributed DoS attack (DDoS) using the correlation of theinformation generated by the data center and the k-nearestneighbors (KNNs) method (ey analyzed the flows of datatraffic at the center to identify normal and abnormal flowsIn [24] the authors proposed an approach for detectingDDoS attacks based on seven features and using an artificialneural network (ANN) method with a radial basis function(RBF) (is NN-RBF approach can classify the data trafficinto attack or normal classes by sending the IP address of theincoming packets from the source nodes to be filtered in thealarmmodules which then decide if these data packets can besent to the destination nodes

(e authors in [25] applied a data mining method fordetecting a DDoS attack using the fuzzy clustering method(FCM) and a priori association algorithm to categorize thedata traffic patterns and the status of the network AnotherML approach in [26] used a DT method with a grey rela-tional analysis for detecting DDoS attacks (ey also appliedthe pattern matching technique to the data flows for tracingback the estimated location of the attackers

Alshboul [27] investigated the use of rule inductionnodes for BHP classification in OBS networks (e authorapplied a set of data mining methods to the public OBSnetwork dataset He reported that the repeated incrementalpruning to produce error reduction (RIPPER) rule inductionalgorithm Naıve Bayes (NB) and Bayes Net were able toachieve a predictive accuracy of 98 69 and 85respectively

Chen et al [28] developed a detection method to identifya DDoS attack using ANN A set of different simulated DoSattacks were used for training the ANN model to recognizeabnormal behaviors Li et al [29] offered different types ofANN models including learning vector quantization (LVQ)models to differentiate traffic associated with DDoS attacksfrom normal traffic (e authors converted the values of thedataset features into a numerical format before feeding theminto the ANN model

In [30] the authors presented a probabilistic ANNapproach for classifying the different types of DDoS attacks(ey categorized the DDoS attacks and normal traffic byapplying radial basis function neural network (RBF-NN)

2 Security and Communication Networks

coupled with a Bayes decision rule Nevertheless the ap-proach concentrated on the events of unscrambling flashcrowds generated by DoS attacks

Li and Liu [31] proposed a technique that integrates thenetwork intrusion prevention system with SVM to improvethe accuracy of detection and reduce the incidents of falsealarms In [32] Ibrahim offers a dynamic approach based ondistributed time-delay ANN with soft computing methods(is approach achieved a fast conversion rate high speedand a high rate of anomaly detection for network intrusions

Gao et al [33] introduced a data mining method foranalyzing the piggybacked packets of the network protocolto detect DDoS attacks (e advantage of this method is toretain a high rate of detection without manual data con-struction Hasan et al [34] proposed a deep convolutionalneural network (DCNN) model to detect BHP flooding attackson OBS networks (ey reported that the DCNNmodel worksbetter than any other traditional machine learning models(eg SVM Naıve Bayes and KNN) However due to thesmall number of samples in the dataset and the limited resourceconstraints of OBS switches such deep learningmodels are noteffective tools to detect BHP flooding attacks and they arenot computationally efficient to run in such network

3 Proposed Approach

(e proposed approach in this paper consists of two mainphases feature selection and classification (e input of theapproach is a set of OBS dataset features collected fromnetwork traffic (e output of the approach is a class label ofthe BHP flooding attacks (e flowchart of the proposedapproach is illustrated in Figure 1

In the feature selection phase of the approach the inputfeatures of OBS network traffic are prepared for processing byusing the information gain (IG) feature selection method (epurpose of IG is to rank the features and discover the merit ofeach of them according to the information gain evaluation ofthe entropy function(e output of the feature selection phase isa scored rank of features in decreasing order according to theirmerit whereby adding any feature decreases the features merit

(is is then followed by the classification phase in whichthe dataset with selected features will be used to train and testthe DT classifier to detect attacks on OBS networks (eoutput of the classification phase is a DT trained model thatis able to classify the BHP flooding attacks and return theclass label of that attack (e following sections explain themethods used in the two phases of the proposed approach

31 Information Gain (IG) Feature Selection MethodInformation gain (IG) is a statistical method used to measurethe essential information for a class label of an instance basedon the absence or presence of the feature in that instance IGcomputes the amount of uncertainty that can be reduced byincluding the features (e uncertainty is usually calculatedby using Shannonrsquos entropy (E) [35] as

E(D) 1113944n

i1Pilog2 Pi( 1113857 (1)

where n represents the number of class labels and Pi is theprobability that an instance i in a dataset D can be labeled asa class label c by computing the proportion of instances thatbelong to that class label for the instance i as follows

DiisinC1113868111386811138681113868

1113868111386811138681113868

D (2)

A selected feature f divides the training set into subsetsD1 D2 Dv according to the values of f where f has v

distinct values (e information required to get the exactclassification is measured by

Reminder(f) 1113944v

j1

Dj

11138681113868111386811138681113868

11138681113868111386811138681113868

Dtimes E(DJ) (3)

where |Dj|D represents the weight of jth subset |D| is thenumber of instances in the dataset D |Dj| is the number ofinstances in the subset Dj and E(Dj) is the entropy of thesubset Dj (erefore the IG of every feature is calculated as

IG(f) E(D) minus Reminder(f) (4)

After calculating the IG for each feature the top kfeatures with the highest IG will be selected as a feature setbecause it reduces the information required to classify theflooding attack

32 Decision Tree Method Decision tree (DT) is a tree-likemodel of decisions with possible consequences that iscommonly used in the fields of data mining statistics andmachine learning [36] In machine learning the goal of DTisto build a model that predicts or classifies the value of atarget class based on a learning process from several inputfeatures (e tree model that has a target class label withdiscrete values is called a classification tree model In thismodel the tree leaves constitute the values of the class labeland the tree branches constitute aggregations of features thatproduce this class label

DT learning is a simple process to represent the featuresfor predicting or classifying instances DTmodels are createdby splitting the input feature set into subsets that establishthe successor nodes of the children thereby establishing thetree root node Based on a set of splitting rules on the valuesof the features the splitting process for each derived subset isrepeated in a recursive manner [36] (is recursive manneris stopped when the splitting process no longer adds valuesto the predictions or when the subset of nodes have all thesame values of the target class label

(e DTcan be described also as a mathematical model tosupport the categorization description and generalizationof a given dataset

Assume the dataset comes in the form of records asfollows

(x y) x1 x2 x3 xk y( 1113857 (5)

where the variable y is a dependent target variable that weneed to generalize or classify (e vector x consists of thefeatures x1 x2 x3 xk which are led to the variable y

Security and Communication Networks 3

In principle the DT is based on the C45 algorithm [37]which is an updated version of the ID3 algorithm [38] C45can avoid the overfitting problem of ID3 by using the rule-post pruning technique to convert the building tree into a setof rules

DT is used in the proposed approach because it is simplevery intuitive and easy to implement Furthermore it dealswith missing values requires less effort in terms of datapreprocessing and does not need to scale or normalize thedata [36]

4 Experiments and Discussion

(e experiments of this research are implemented using apopular open source tool called the Waikato Environmentfor Knowledge Analysis (Weka) software [39] whichoffers a rich toolbox of machine learning and data miningmethods for preprocessing analyzing clustering andclassification It offers Java-based graphical user interfaces(GUIs) (e implementation was performed on a laptopwith an Intel Core i7 CPU processor 20 GHz 8 GB RAMand a Windows 10 64 bit operating system Due to thescarcity of OBS historical data the experiments wereconducted on a public optical burst switching (OBS)network dataset [1]

41 OBS Network Dataset Description (e OBS networkdataset is a public dataset available from the UCI MachineLearning Repository [1] It contains a number of BHPflooding attacks on OBS networks (ere are 1075 instanceswith 21 attributes as well as the target class label (is targetlabel has four types of classes which are NB-no block (notbehaving-no block) block no block and NB-wait (notbehaving-wait) All dataset features have numeric valuesexcept for the node status feature that takes a categoricalvalue out of three values B (behaving) NB (not behaving)and potentially not behaving (PNB) (e description of thedataset features is given in Table 1

Table 2 shows the number of instances for each class inthe dataset while Figure 2 shows the distribution of in-stances over different types of BHP flooding attacks (isfigure is deduced from the dataset

42 Evaluation Measures (e experimental results will beevaluated using four evaluation measures (ese measuresare precision recall F-measure and accuracy (e followingequations show how these evaluation measures arecomputed

precision TP

TP + FP

recall(sensitivity) TP

TP + FN

F minus measure 2lowast(precisionlowast recall)(precision + recall)

accuracy TP + TN

TP + TN + FP + FN

(6)

where FP is the number of false positives FN is the numberof false negatives TP is the number of true positives and TNis the number of true negatives

43 Results and Comparisons In this section the experi-mental results for both the feature selection and classifica-tion phases of the proposed approach are given in detail (eaverage rank score and average merit of features from the IGfeature selection method are shown in Table 3 and are basedon a 10-fold cross-validation with stratified sampling inorder to guarantee that both training and testing sets havethe same ratio of classes

In Table 3 the dataset features are ranked in decreasingorder according to their significance to target classes (ereason behind this variation in the feature significance is thatthe target class has four categorical labels and for each labeldifferent values for each feature are assigned (erefore therank score from the IG method determines how much eachfeature contributes to the target class label

(e rank scores in Table 3 show that the ldquopacket re-ceivedrdquo ldquo10-run-AVG-drop-raterdquo and ldquoflood statusrdquo fea-tures have higher scores than all the other features (us thehypothesis that those first three features (packet received10-run-AVG drop-rate and flood status) are more influ-ential and more correlated to the labels of target class will bechecked experimentally in the following paragraphs

Optical burstswitching (OBS)network dataset

Feature selectionphase using

information gain(IG) method

Classification phaseusing decision tree

(DT) classifierbased on the selected

features

BHP flooding attacks(NB-no block block

no block and NB-wait)

Figure 1 Flowchart of the proposed approach


To accept or reject this hypothesis the evaluation resultsof the DT method are presented using all features and thecombinations of the three selected features (ese evaluationresults are reported based on the holdout and 10-fold cross-validation techniques For the holdout technique the datasetis divided into 75 for training and 25 for testing Beforeapplying the DT method for classifying the types of BHPflooding attacks and getting the results an analysis of the DT

Table 1 (e description of the dataset features

No Feature name Feature description1 Node It is a numeric feature representing the number of node that sends the data traffic2 Utilized bandwidth rate It is a numeric feature representing the rate of bandwidth used3 Packet drop rate It is a numeric feature representing the rate of packet drop4 Reserved bandwidth It is a numeric feature denoting the initial reserved bandwidth assigned to a given node

5 Average delay time persec

It is a numeric feature denoting the average delay time per second for each node It is also called end-to enddelay feature

6 Percentage of lost packetrate It is a numeric feature representing the percentage rate of lost packets for each node

7 Percentage of lost byterate It is a numeric feature representing the percentage rate of lost bytes for each node

8 Packet received rate It is a numeric feature representing the packet received rate per second for each node based on the reservedbandwidth

9 Used bandwidth It is a numeric feature represents the bandwidth used or what each could reserve from the reservedbandwidth

10 Lost bandwidth It is a numeric feature denoting the lost amount of bandwidth by each node from the reserved bandwidth

11 Packet size byte

It is a numeric feature denoting the packet size in bytes allocated explicitly for each node to transmit Forinstance if the data size is 1440 bytes and there are 60 bytes for (IP header 40 bytes) + (UDP header

20 bytes) then all headers will be added to the data size to get 1500 byte as follows packet size ((data size1440 bytes) + (IP header 40 bytes) + (UDP header 20 bytes)) 1500 bytes

12 Packet transmitted (is is a numeric feature representing the total packets transmitted per second for each node based on thereserved bandwidth

13 Packet received (is is a numeric feature representing the total packets received per second for each node based on thereserved bandwidth

14 Packet lost (is is a numeric feature representing the total packets lost per second for each node based on the lostbandwidth

15 Transmitted byte (is is a numeric feature representing the total bytes transmitted per second for each node

16 Received byte It is a numeric feature denoting the total bytes received per second for each node based on the reservedbandwidth

17 10-run-AVG-drop-rate (is is a numeric feature representing the rate of average packets that drop for 10 consecutive iterationsand runs

18 10-run-AVG-bandwidth-use

It is a numeric feature representing the average bandwidth that is utilized for 10 consecutive iterations andruns

19 10-run-delay (is is a numeric feature representing the time of average delay for 10 consecutive (run) iterations

20 Node status(is is a categorical feature It is an initial classification of nodes based on the rate of packet drop usedbandwidth and average delay time per second (e categorical values are B for behaving NB for not

behaving and PNB for potentially not behaving

21 Flood status (is is a numeric feature that represents the percentage of flood per node It is based on the packet droprate medium and high level of BHP flood attack in case behaving (B)

22 Class label(is feature is a categorical feature that represents the final classification of nodes based on the packet droprate reserved bandwidth number of iterations used bandwidth and packet drop rate (e categorical

values of the class label are NB-no block block no block and NB-wait

Table 2(e number of instances for each class in the OBS networkdataset

Class label NB-noblock Block No block NB-wait Total

No ofinstances 500 120 155 300 1075

47

11

14

28

NB-no blockBlock

No blockNB-wait

Figure 2 (e distribution of instances for each class in the OBSnetwork dataset


parameters is investigated to tune and select the best valuesof these parameters

Practically the DT classifier (J48) in Weka performs thepruning process based on a set of parameters which are thesubtree raising the confidence factor and the minimalnumber of objects(e default values of these parameters aretrue 025 and 2 respectively (e subtree raising is theparameter that can be used to move the node of the treeupwards towards the root that can replace other nodesduring the pruning process Confidence factor is a thresholdof acceptable error in data through pruning the DTand thisvalue should be smaller However in the proposed approachthe values of subtree raising and confidence factor param-eters are set to have the default values (e minimal numberof objects is very important parameter to represent theminimal number of nodes in a single leaf It is used to obtainsmaller and simpler decision trees based on the nature of theproblem For tuning the minimal number of objects pa-rameter we try a set of different values for selecting the bestvalue of this parameter Figure 3 shows the accuracies ofproposed approach at different values of minimal number ofobjects in the range from 2 to 5 (ese accuracies are ob-tained using the holdout technique with 75 training and25 testing

As shown in Figure 3 it is clear that the best values ofminimal number of objects in a single leaf are 1 and 2 thatgenerate a simple and accurate DTmodel (e value of thisparameter is set to be 2 to make the DT model moderatelysimple

Once the values of DT parameters are selected theevaluation results of the proposed approach are reported in

next tables and figures Table 4 presents the evaluation re-sults of the holdout technique for classifying BHP floodingattacks using all features in the dataset Figure 4 shows theconfusion matrix of classification for the 25 testing set

Table 5 illustrates the evaluation results of the holdouttechnique for classifying the BHP flooding attacks using thefirst three selected features (packet received 10-run-AVG-drop-rate and flood status) of the dataset and Figure 5shows the confusion matrix of this evaluation result

From Tables 4 and 5 as well as from Figures 4 and 5 it isclear that the selected features improved the values ofevaluation measures for the DTmethod to classify the BHPflooding attacks Moreover for efficiency detecting attacksusing only three features is more efficient for the OBS coreswitches which have limited resources

To validate the evaluation results other experiments forthe DT classification method based on the 10-fold cross-validation technique were conducted using all features andusing the first three selected features from the IG featureselection method Table 6 shows the evaluation results andFigure 6 shows the confusion matrix for classifying the BHPflooding attacks using all features based on the 10-fold cross-validation technique

Similarly Table 7 and Figure 7 present the evaluationresults and the confusion matrix respectively for classifyingthe BHP flooding attacks using the first three selected fea-tures based on the 10-fold cross-validation technique

(e evaluation results in Tables 6 and 7 and Figures 6 and7 validate the evaluation results of the 10-fold cross-vali-dation technique that confirm the remarkable performanceof the proposed approach After further investigation theevaluation results of the DTclassification methods using oneand two features from the first three selected features arecompared with the previous results of the holdout and the10-fold cross-validation techniques and are shown inFigure 8

Table 8 shows and summarizes a comparison betweenthe proposed approach and the recent related works on theOBS network dataset In this comparison we can see that theproposed work achieves the highest accuracy result with asmall number of features compared to all these recent works

(e results presented in Figure 8 and Table 8 prove thehypothesis of the proposed approach that says that the firstthree selected features using the IG method are more

Table 3 Rank score of IG feature selection method for all featuresin the dataset

Feature name Featureno

Averagerank

Averagemerit

Packet received 13 18plusmn 117 1402plusmn 007910-run-AVG-drop-rate 17 41plusmn 164 1306plusmn 006Flood status 21 42plusmn 178 1309plusmn 0052Used bandwidth 9 43plusmn 366 1285plusmn 019110-run-AVG-bandwidth-use 18 43plusmn 162 1282plusmn 0122

Received byte 16 53plusmn 335 1241plusmn 0163Packet lost 14 67plusmn 332 1175plusmn 015Packet drop rate 3 93plusmn 2 1053plusmn 0083Packet received rate 8 98plusmn 16 1018plusmn 0043Percentage of lost byterate 7 98plusmn 108 1018plusmn 0044

Utilized bandwidth rate 2 10plusmn 232 105plusmn 0074Percentage of lostpacket rate 6 108plusmn 108 1009plusmn 0017

Average delay time 5 12plusmn 279 09plusmn 019Reserved bandwidth 10 128plusmn 166 0899plusmn 01Node status 20 149plusmn 03 0488plusmn 000410-run-delay 19 162plusmn 098 036plusmn 0104Full bandwidth 4 172plusmn 06 0146plusmn 0007Transmitted byte 15 177plusmn 046 0146plusmn 0007Packet transmitted 12 188plusmn 06 0146plusmn 0007Node 1 201plusmn 03 0017plusmn 0006Packet size byte 11 209plusmn 03 0plusmn 0

9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5

Figure 3 (e accuracies of proposed approach at different valuesof minimal number of objects


influential and more correlated to the labels of BHP floodingattacks than any of the other features

44ResultAnalysis For analyzing the results and linking theresults with conclusion we show how the proposed feature

selection method can improve the model from three dif-ferent angles reducing overfitting improving accuracy andreducing training and testing (prediction) time

From the definition of the overfitting problem it occurswhen the training errors are low or very low and the vali-dation errors are high or very high (erefore reducing the

Table 4 Evaluation results of holdout technique using all features of the dataset

Evaluation measureClass label FP rate Precision Recall F-measure AccuracyNB-no block 0039 0950 1000 0975

977695Block 0000 1000 1000 1000No block 0000 1000 1000 1000NB-wait 0000 1000 0925 0961Weighted avg 0017 0979 0978 0978

NB-noblock Block

Noblock NB-wait

NB-no block 115 0 0 0

Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74

Figure 4 (e confusion matrix of classification for the 25 testing set using all features of the dataset

Table 5 Evaluation results of holdout technique using the first three selected features of the dataset



NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80

Figure 5 (e confusion matrix of classification for the 25 testing set using the first three selected features of the dataset

Table 6 Evaluation results of 10-fold cross-validation technique using all features of the dataset




overfitting problem requires to reduce the gap between thetraining and validation error To show how the proposedmethod can reduce the overfitting problem we depict thetraining error against the validation error in Figure 9 withdifferent sets of features which are ordered according torank score given in Table 3 (e training percentage is set to75 and the validation percentage is 25 We notice thatthe gap between the training and validation error is de-creased as the number of features is decreased until the gapreaches zero approximately when using the three selectedfeatures of the proposed method We also notice that theoverfitting problem is eliminated with 14 and 7 features Inour opinion the overfitting problem is eliminated with 14and 7 features because of an implicit pruning functionalityimplemented by the used decision tree algorithm (J48) Inaddition it is clear that the accuracy is improved by the threeselected features

To evaluate the efficiency of the proposed featureselection approach the average time of building andtesting the DT model is computed (e DT model istrained on 75 of the dataset which consists of 806 in-stances and tested on 25 of the dataset which consists of269 instances Table 9 shows the computed average time oftraining and testing the DT model using all features andusing our three selected features

As shown in Table 9 we can see that the DTmodel has alower average time for training and testing using our threeselected features than using all features In terms of timecomplexity represented by O notation the overall averagetime of the DTmethod is O (mtimes n) where m is the numberof features and n is the number of instances [40] Because thenumber of features in classification problems is limited therunning time will be O (Ctimes n) where C is a constant time(erefore the time complexity of the DTmethod isO (n) forclassification problems (e advantage of the proposedapproach is that it reduces the number of features to threefeatures (reducing C) which leads to faster running timecompared with using all features (is confirms that theapproach is able to detect the attacks more efficiently es-pecially in congested network with limited computingresources

We can conclude that reducing the features to three andusing the pruning process of the DT classifier helped theproposed approach to reduce the overfitting problem andclassify the OBS flooding attacks Consequently all per-formance results clarified the effectiveness and efficiency ofthe DT model based on selected features to classify BHPflooding attacks (is reveals that the proposed approach ismore accurate and suitable for real-time detection in thelimited computing capability of OBS core switches

Table 7 Evaluation results of 10-fold cross-validation technique using the first three selected features of the dataset



NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300

Figure 7 (e confusion matrix of classification for the 10-fold cross-validation testing sets using the first three selected features of thedataset

NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296

Figure 6 (e confusion matrix of classification for the 10-fold cross-validation testing sets using all features in the dataset


8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()

Feature number in the rank score

AccuracyWeighted average F-measure

Figure 8 Evaluation results of accuracy and F-measure for the DTclassification method using a combination of the three selected featurescompared to all features

Table 8 Accuracy and number of features of the proposed BHP flooding attack detection approaches using OBS network dataset

Ref Year Approach Offeatures

Accuracy()

[34] 2018 Naıve Bayes 21 79[21] 2018 Features selection using chi-square testing (CHI) + decision tree for classification 7 87[34] 2018 Support vector machine 21 88[34] 2018 K-nearest neighbor 21 93

[27] 2018 Repeated incremental pruning to produce error reduction (RIPPER) rule inductionalgorithm 21 98

[4] 2019 Features selection using Pearson correlation coefficient (PCC) + semisupervised machinelearning with k-mean 8 956

[34] 2018 Deep convolutional neural network (DCNN) 21 99(iswork 2020 Features selection using information gain (IG) + decision tree for classification 3 100

0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features

Training errorValidation error

Figure 9 Training and validation error rates with different sets of features


5 Conclusion and Future Work

In this paper an effective and efficient approach using theinformation gain (IG) feature selection method and thedecision tree (DT) classifier is proposed to detect BHPflooding attacks on OBS networks (e approach starts withselecting the most important features of OBS network trafficto improve the accuracy and efficiency of attack detection inOBS switches that have limited resources A set of experi-ments is conducted on an OBS network dataset using 10-foldcross-validation and holdout techniques to evaluate andvalidate the approach (e experimental results demonstratethat the proposed approach can classify the class labels ofOBS nodes with 100 accuracy by using only three features(e comparison with recent related works reveals that theproposed approach is suitable for OBS network security interms of effectiveness and efficiency

One of the limitations of the proposed approach is thelack of evaluation onmore OBS datasets that can be varied insize and types of attacks due to unavailable OBS datasetsother than the dataset used in the experiments of this studyMoreover because the proposed approach is based on thedecision tree method for classification the training time isrelatively expensive in case of large training datasetsHowever by reducing the number of features of the pro-posed approach and the emergence of high-speed proces-sors this limitation is no longer a major problem In futurework a large set of OBS network data will be collected forfurther evaluation of the proposed approach and will bemade available for researchers in the field (is is due to lackof public OBS network datasets other than the dataset usedin this research work

Data Availability

(e OBS-network dataset used in this study is publiclyavailable at the UCI Machine Learning Repository [1]

Conflicts of Interest

(e author declares that there are no potential conflicts ofinterest with respect to the research authorship andorpublication of this article

Acknowledgments

(is study was supported by the Deanship of ScientificResearch at Prince Sattam Bin Abdulaziz University

References

[1] A Rajab C-T Huang M Al-Shargabi and J CobbldquoCountering burst header packet flooding attack in opticalburst switching networkrdquo Information Security Practice and

Experience Springer in Proceedings of the InternationalConference on Information Security Practice and Experiencepp 315ndash329 Springer Melbourne Australia December 2016

[2] T Venkatesh and C Murthy An Analytical Approach toOptical Burst Switched Networks Springer Boston MA 2010

[3] N Sreenath K Muthuraj and G V Kuzhandaivelu ldquo(reatsand vulnerabilities on TCPOBS networksrdquo in Proceedings ofthe 2012 International Conference on Computer Communi-cation and Informatics pp 1ndash5 IEEE Coimbatore IndiaJanuary 2012

[4] M K H Patwary andM Haque ldquoA semi-supervised machinelearning approach using K-means algorithm to prevent burstheader packet flooding attack in optical burst switchingnetworkrdquo Baghdad Science Journal vol 16 no 3 Supplementpp 804ndash815 2019

[5] A D A Rajab ldquoA machine learning approach for enhancingsecurity and quality of service of optical burst switchingnetworksrdquo University of South Carolina Columbia SouthCarolina Dissertation 2017

[6] S S Chawathe ldquoAnalysis of burst header packets in opticalburst switching networksrdquo in Proceedings of the 2018 IEEE17th International Symposium on Network Computing andApplications (NCA) pp 1ndash5 IEEE Cambridge MA USANovember 2018

[7] A Alazab M Hobbs J Abawajy and M Alazab ldquoUsingfeature selection for intrusion detection systemrdquo in Pro-ceedings of the 2012 International Symposium On Commu-nications and Information Technologies (ISCIT) pp 296ndash301IEEE Gold Coast QLD Australia October 2012

[8] J Li K Cheng S Wang et al ldquoFeature selection a dataperspectiverdquoACMComputing Surveys vol 50 no 6 pp 1ndash452017 httpsarxivorgabs160107996

[9] N Dessı and B Pes ldquoSimilarity of feature selection methodsan empirical study across data intensive classification tasksrdquoExpert Systems with Applications vol 42 no 10 pp 4632ndash4642 2015

[10] E J Keogh and A Mueen ldquoCurse of dimensionalityrdquo inEncyclopedia of Machine Learning and DataMining SpringerBoston MA USA 2017

[11] S S Kannan and N Ramaraj ldquoA novel hybrid feature se-lection via Symmetrical Uncertainty ranking based localmemetic search algorithmrdquoKnowledge-Based Systems vol 23no 6 pp 580ndash585 2010

[12] G Chandrashekar F Sahin and E Engineering ldquoA survey onfeature selection methodsrdquo Computers amp Electrical Engi-neering vol 40 no 1 pp 16ndash28 2014

[13] V Bolon-Canedo N Sanchez-Marontildeo and A Alonso-Betanzos ldquoA review of feature selection methods on syntheticdatardquo Knowledge and Information Systems vol 34 no 3pp 483ndash519 2013

[14] M M Kabir M M Islam and K Murase ldquoA new wrapperfeature selection approach using neural networkrdquo Neuro-computing vol 73 no 16ndash18 pp 3273ndash3283 2010

[15] A Mirzaei Y Mohsenzadeh and H Sheikhzadeh ldquoVaria-tional relevant sample-feature machine a fully Bayesian ap-proach for embedded feature selectionrdquo Neurocomputingvol 241 pp 181ndash190 2017

Table 9 Average time of training and testing the DT model using all features and using our three selected features

Dataset features Average time taken to build the model (seconds) Average time taken to test the model (seconds)Using all features 022 003Using our three selected features 001 0001


[16] M M Hassan A Gumaei A Alsanad M Alrubaian andG Fortino ldquoA hybrid deep learning model for efficient in-trusion detection in big data environmentrdquo InformationSciences vol 513 pp 386ndash396 2020

[17] F A Khan and A Gumaei ldquoA comparative study of machinelearning classifiers for network intrusion detectionrdquo in Pro-ceedings of the International Conference on Artificial Intelli-gence and Security pp 75ndash86 Springer New York NY USAJuly 2019

[18] F A Khan A Gumaei A Derhab and A Hussain ldquoTSDL atwo-stage deep learning model for efficient network intrusiondetectionrdquo IEEE Access vol 7 pp 30373ndash30385 2019

[19] M Alqahtani A Gumaei H Mathkour and M B Ismail ldquoAgenetic-based extreme gradient boosting model for detectingintrusions in wireless sensor networksrdquo Sensors vol 19no 20 p 4383 2019

[20] A Derhab M Guerroumi A Gumaei et al ldquoBlockchainand random subspace learning-based IDS for SDN-enabledindustrial IoT securityrdquo Sensors vol 19 no 14 p 31192019

[21] A Rajab C-T Huang M Al-Shargabi and NetworkingldquoDecision tree rule learning approach to counter burst headerpacket flooding attack in optical burst switching networkrdquoOptical Switching and Networking vol 29 pp 15ndash26 2018

[22] Q Liao H Li S Kang C Liu and C Networks ldquoApplicationlayer DDoS attack detection using cluster with label based onsparse vector decomposition and rhythm matchingrdquo Securityand Communication Networks vol 8 no 17 pp 3111ndash31202015

[23] P Xiao W Qu H Qi and Z Li ldquoDetecting DDoS attacksagainst data center with correlation analysisrdquo ComputerCommunications vol 67 pp 66ndash74 2015

[24] R Karimazad and A Faraahi ldquoAn anomaly-based method forDDoS attacks detection using RBF neural networksrdquo inProceedings of the International Conference on Network andElectronics Engineering vol 11 pp 44ndash48 Noida IndiaDecember 2011

[25] R Zhong and G Yue ldquoDDoS detection system based on dataminingrdquo in Proceedings of the 2nd International Symposiumon Networking and Network Security pp 2ndash4 JinggangshanChina April 2010

[26] Y-C Wu H-R Tseng W Yang and R-H Jan ldquoDDoSdetection and traceback with decision tree and grey relationalanalysisrdquo in Proceedings of the 2009 ltird InternationalConference on Multimedia and Ubiquitous Engineeringpp 306ndash314 IEEE Qingdao China June 2009

[27] R Alshboul ldquoFlood attacks control in optical burst networksby inducing rules using data miningrdquo IJCSNS InternationalJournal of Computer Science and Network Security vol 18no 2 pp 160ndash167 2018

[28] J-H Chen M Zhong F-J Chen and A-D Zhang ldquoDDoSdefense system with turing test and neural networkrdquo inProceedings of the 2012 IEEE International Conference onGranular Computing pp 38ndash43 IEEE Hangzhou ChinaAugust 2012

[29] J Li Y Liu and L Gu ldquoDDoS attack detection based onneural networkrdquo in Proceedings of the 2010 2nd InternationalSymposium on Aware Computing pp 196ndash199 IEEE TainanChina November 2010

[30] V Akilandeswari and S M Shalinie ldquoProbabilistic neuralnetwork based attack traffic classificationrdquo in Proceedings ofthe 2012 Fourth International Conference on AdvancedComputing (ICoAC) pp 1ndash8 IEEE Chennai India De-cember 2012

[31] H Li and D Liu ldquoResearch on intelligent intrusion pre-vention system based on snortrdquo in Proceedings of the 2010International Conference on Computer Mechatronics Controland Electronic Engineering vol 1 pp 251ndash253 IEEEChangchun China August 2010

[32] L M Ibrahim ldquoAnomaly network intrusion detection systembased on distributed time-delay neural network (DTDNN)rdquoJournal of Engineering Science and Technology vol 5 no 4pp 457ndash471 2010

[33] N Gao D-G Feng and J Xiang ldquoA data-mining based DoSdetection techniquerdquo Chinese Journal of Computers vol 29no 6 pp 944ndash951 2006

[34] M Z Hasan K M Z Hasan and A Sattar ldquoBurst headerpacket flood detection in optical burst switching networkusing deep learning modelrdquo Procedia Computer Sciencevol 143 pp 970ndash977 2018

[35] C Largeron C Moulin and M Gery ldquoEntropy based featureselection for text categorizationrdquo in Proceedings of the 2011ACM Symposium On Applied Computing pp 924ndash928 ACMTaichung Taiwan March 2011

[36] J Friedman ldquoA recursive partitioning decision rule fornonparametric classificationrdquo IEEE Transactions on Com-puters vol C-26 no 4 pp 404ndash408 1977

[37] J R Quinlan C4 5 Programming For Machine LearningMorgan Kaufmann vol 38 p 48 San Mateo CA USA 1993

[38] J R Quinlan ldquoInduction of decision treesrdquo MachineLearning vol 1 no 1 pp 81ndash106 1986

[39] A Marzano D Alexander O Fonseca et al ldquo(e evolution ofbashlite and mirai IoT botnetsrdquo in Proceedings of the 2018IEEE Symposium on Computers and Communications (ISCC)pp 00813ndash00818 IEEE Natal Brazil June 2018

[40] J Bekker and J Davis ldquoEstimating the class prior in positiveand unlabeled data through decision tree inductionrdquo inProceedings of theltirty-Second AAAI Conference on ArtificialIntelligence New Orleans LA USA Febraury 2018


questions are formulated to answer throughout this study(e first research question is does the feature selectionmethod improve the effectiveness of the DTmodel to detectthe BHP flooding attacks (e second research question isdoes the feature selection method improve the efficiency ofthe DT model for detecting the BHP flooding attacks Ac-tually the lightweight property of the model comes from thefact that only a small number of features are used to build theclassifier (e model will be evaluated using a public OBSdataset based on a set of performance metrics such as ac-curacy precision recall and F-measure

(e remainder of the research is organized as follows

(i) In Section 2 related works are introduced to givedetails about the proposed approaches and methodsof DoS attack on different networks

(ii) Section 3 presents the proposed approach archi-tecture for detecting the BHP flooding attacks onOBS networks

(iii) Section 4 explains the experimental setup and re-sults in more detail

(iv) Section 5 presents the conclusion of the study

2 Related Works

Nowadays machine learning (ML) methods have been usedin many intrusion detection systems (IDSs) to detect severaltypes of network attacks However feature selectionmethods are also used to select the significant features ofnetwork traffic without reducing the performance of theIDSs [7] Feature selection is the process of selecting the bestset of features that can be most effective for classificationtasks [8 9] (e high number of features may decrease theperformance and accuracy of many classification problems[10 11]

In the field of optimization feature selection methodsare classified in three main approaches embedded wrapperand filter methods [12] For the filter methods there are twomajor types of evaluation subset feature evaluation andgroups of individual feature evaluation In the groups ofindividual feature evaluation heuristic or metaheuristicfilter methods or even the hybrid of them is utilized forranking the features and then the best of them is selectedbased on some thresholds [11 13] In contrast the subsetfeature evaluation methods find the subset of candidatefeatures using a certain measure or a certain strategy (eycompare the previous best subset with the current subset forfinding the candidate subset of features In the groups ofindividual feature evaluation methods the redundant fea-tures are kept in the final subset of selected featuresaccording to their relevance but the group of subset featureevaluation methods removes the features with similar ranksIn general the filter methods are considered as classifier-independent approaches [13] (e wrapper methods areclassifier-dependent approaches that take each time asubset of features from the total features and calculate theaccuracy of classifiers to find the best subset (ereforethey are time consuming compared with filter methods

[14] (e embedded methods combine wrapper and filtermethods [15] In this study a filter-based method is usedfor feature selection

In the literature review of intrusion detection a set ofMLand deep learning (DL) methods have been widely used todetect different types of attacks in several works [16ndash20]Meanwhile a set of related works have also been proposedfor detecting BHP flooding attacks using different MLmethods like the decision tree (DT) method in [21] (iswork evaluated the performance of the adopted methodusing different metrics and reported a 93 accuracy rate inclassifying the classes of BHP flooding attack Liao et al [22]introduced a classification approach to classify the accesspatterns of various users using sparse vector decomposition(SVD) and rhythm matching methods (is study demon-strates that the approach is able to distinguish between theintruders and the legal users in the application layer

Xiao et al [23] offered an effective scheme for detecting adistributed DoS attack (DDoS) using the correlation of theinformation generated by the data center and the k-nearestneighbors (KNNs) method (ey analyzed the flows of datatraffic at the center to identify normal and abnormal flowsIn [24] the authors proposed an approach for detectingDDoS attacks based on seven features and using an artificialneural network (ANN) method with a radial basis function(RBF) (is NN-RBF approach can classify the data trafficinto attack or normal classes by sending the IP address of theincoming packets from the source nodes to be filtered in thealarmmodules which then decide if these data packets can besent to the destination nodes

(e authors in [25] applied a data mining method fordetecting a DDoS attack using the fuzzy clustering method(FCM) and a priori association algorithm to categorize thedata traffic patterns and the status of the network AnotherML approach in [26] used a DT method with a grey rela-tional analysis for detecting DDoS attacks (ey also appliedthe pattern matching technique to the data flows for tracingback the estimated location of the attackers

Alshboul [27] investigated the use of rule inductionnodes for BHP classification in OBS networks (e authorapplied a set of data mining methods to the public OBSnetwork dataset He reported that the repeated incrementalpruning to produce error reduction (RIPPER) rule inductionalgorithm Naıve Bayes (NB) and Bayes Net were able toachieve a predictive accuracy of 98 69 and 85respectively

Chen et al [28] developed a detection method to identifya DDoS attack using ANN A set of different simulated DoSattacks were used for training the ANN model to recognizeabnormal behaviors Li et al [29] offered different types ofANN models including learning vector quantization (LVQ)models to differentiate traffic associated with DDoS attacksfrom normal traffic (e authors converted the values of thedataset features into a numerical format before feeding theminto the ANN model

In [30] the authors presented a probabilistic ANNapproach for classifying the different types of DDoS attacks(ey categorized the DDoS attacks and normal traffic byapplying radial basis function neural network (RBF-NN)





3 Proposed Approach





E(D) 1113944n

i1Pilog2 Pi( 1113857 (1)


DiisinC1113868111386811138681113868

1113868111386811138681113868

D (2)




j1

Dj

11138681113868111386811138681113868

11138681113868111386811138681113868

Dtimes E(DJ) (3)








(x y) x1 x2 x3 xk y( 1113857 (5)










precision TP

TP + FP


TP + FN


accuracy TP + TN

TP + TN + FP + FN

(6)










features















11 Packet size byte



















No ofinstances 500 120 155 300 1075

47

11

14

28

NB-no blockBlock

No blockNB-wait

















Averagerank

Averagemerit





9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5










NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References

















































3 Proposed Approach





E(D) 1113944n

i1Pilog2 Pi( 1113857 (1)


DiisinC1113868111386811138681113868

1113868111386811138681113868

D (2)




j1

Dj

11138681113868111386811138681113868

11138681113868111386811138681113868

Dtimes E(DJ) (3)








(x y) x1 x2 x3 xk y( 1113857 (5)










precision TP

TP + FP


TP + FN


accuracy TP + TN

TP + TN + FP + FN

(6)










features















11 Packet size byte



















No ofinstances 500 120 155 300 1075

47

11

14

28

NB-no blockBlock

No blockNB-wait

















Averagerank

Averagemerit





9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5










NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References





















































precision TP

TP + FP


TP + FN


accuracy TP + TN

TP + TN + FP + FN

(6)










features















11 Packet size byte



















No ofinstances 500 120 155 300 1075

47

11

14

28

NB-no blockBlock

No blockNB-wait

















Averagerank

Averagemerit





9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5










NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References
























































11 Packet size byte



















No ofinstances 500 120 155 300 1075

47

11

14

28

NB-no blockBlock

No blockNB-wait

















Averagerank

Averagemerit





9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5










NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References




























































Averagerank

Averagemerit





9200

9300

9400

9500

9600

9700

9800

9900

10000

1 2 3 4 5










NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References





















































NB-noblock Block

Noblock NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 6 0 0 74





NB-noblock Block No

block NB-wait


Block 0 31 0 0

No block 0 0 43 0

NB-wait 0 0 0 80













NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References





















































NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 0 0 0 300


NB-noblock Block No

block NB-wait


Block 0 120 0 0

No block 0 0 155 0

NB-wait 4 0 0 296



8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References














































8800

9000

9200

9400

9600

9800

10000

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

Hol

dout

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

10-fo

ld C

V

13 17 21 1317

1321

1721

131721

All 13 17 21 1317

1321

1721

131721

All

Accu

racy

and

wei

ghte

d av

erag

eF-

mea

sure

()






Accuracy()





0000

0500

1000

1500

2000

2500

3000

All 1 to 19 1 to 16 1 to 14 1 to 7 1 to 3

Erro

r rat

es (

)

Number of features







Data Availability




Acknowledgments


References

















































Data Availability




Acknowledgments


References














































anefficientandeffectiveapproachforfloodingattack...

Documents